At Corsec, we have the opportunity to work with many industry insiders, partners, and labs as we help our clients through the security validation process. This provides us with a unique perspective when looking at the changes occurring within the IT security space. One group of particular interest right now is the ISO/IEC JTC 1/SC 27’s WG 3 (work group 3). Its work gives us insight into planned changes in the areas of evaluation, testing or specification for the IT security industry. I recently had the opportunity to sit down with the WG 3 Convenor, Miguel Bañón, to discuss the group overall, the current work of the WG 3, the organization’s objectives, and hot topics within the industry. In part one of our talk, we tackle the big picture.
Q: Mr. Bañón, what is the overall purpose of WG 3 and its goals?
A: Well, to answer that, we have to start with the purpose and goals of the ISO/IEC JTC 1/SC 27, which we then can narrow down to our specific technical terms of reference.
There are three global sister organizations (ISO, IEC, ITU) that develop and publish International Standards for the world. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) have setup a Joint Technical Committee (JTC 1), titled “Information Technology,” which is the standards development environment where experts come together to develop worldwide Information and Communication Technology (ICT) standards for business and consumer applications. Within JTC 1, the Subcommittee 27 deals with “Security Techniques,” and finally, in WG 3 (work group 3) we work in the area of “Security Evaluation, Testing and Specification.” So we develop and publish international standards in the field of “Security Evaluation, Testing and Specification” which can be considered “Security Techniques” for “Information Technology.”
Q: Can you offer a bit of background on the working group? For instance, how often do you meet?
A: We meet twice a year, in spring and autumn. In between these WG 3 plenary meetings, editors prepare and submit revised versions of the working documents, which are distributed for study, comment or ballot to the many Standardization National Bodies that are members of the SC 27/WG 3.
Q: How many members are in the group?
A: Countries join the SC 27, and appoint experts to the meetings on a need-to-attend basis. As of today, there are 51 participating countries in SC 27, and 17 more observing.
Q: How diverse is the group?
A: Currently, we have 84 experts registered at WG 3 from our long list of countries including Australia, Belgium, Brazil, Canada, China, and the Russian Federation, to name a few. We have quite a diverse and rich representation that includes members from every continent, with the exception of Antarctica.
Q: What kinds of backgrounds do the members have?
A: The standard development process demands a unique blend of expertise in our delegates, because they need not only be technical experts in the field of the specific standards that they work on, but also fluent in the ISO/IEC JTC 1/SC 27 principles and procedures, and efficient in a very diverse and rich working group that is consensus driven.
Q: How was the group first formulated?
A: The SC 27/WG 3 was created in 1990, so we have more than 20 years of history and achievements, and a brilliant future ahead of us. Standardization committees are created when there is a need to cover a specific area with new standards, which no existing group is already solving.
Q: How does the WG 3 come up with agenda (what you’re going to talk about), priorities and initiatives?
A: The agenda is around the program of work, which is shaped by the standards under development, and by the maintenance of the already published standards. In addition, we explore new options with study periods, and collaborate with other external organizations through liaison channels.
Q: How long does the study period last?
A: They are launched for six-month periods, so we can have feedback and evaluate their progress at our regular meetings.
Q: With it being a six-month period and understanding how quickly interest and technology can change, do you ever find that you launch a study and receive feedback, but by time the study period is over, the technology has changed?
A: Not that much. Even if the product landscape changes very fast, the underlying security principles and problems are not so dynamic. The problem is not that much that technology changes, or evolves, but that the world does not wait for us to know how to secure the ITC to start using it. We are still using binary coded information in Turing machines, and many of their initial security problems are still open.
Q: Since WG 3 decides on priorities by consensus, what percentage is required to move a decision forward?
A: We define consensus as the general agreement, characterized by the absence of sustained opposition to substantial issues by any important part of the concerned interests. It’s also a process that involves seeking to take into account the views of all parties concerned and to reconcile any conflicting arguments. The general rule is two-thirds majority of the participating countries can be sufficient to make a decision, but unanimity is always preferred.
Q: What are the current initiatives of the WG 3?
A: We have three very easily identifiable core standards, ISO/IEC 15408 “Evaluation Criteria for IT Security,” ISO/IEC 19790 “Security Requirements for Cryptographic Modules,” and ISO/IEC 11889“Trusted Platform Module.” Around these, we have complementing standards and technical reports.
In addition, we are exploring new grounds with study periods on standards for privacy seal programs, security evaluation of anti-spoofing techniques for biometrics, predictive assurance and high assurance, and a new work item proposal on a catalogue of architectural and design principles for secure products, systems and applications.
Q: Could you tell me more about the relevant sectors that your work affects?
A: Our standards provide an answer to the need to evaluate and test the security of ITC, so it would be difficult to imagine who, nowadays, does not need to have assurance that the technology that is being developed, acquired, or used, is secure. We are seeing an increase in the popularity of security certification demanded by companies outside classified governmental agencies, and sought by vendors that need to ensure the acceptance of their products in the market.
Q: How are Protection Profiles (PPs) being addressed within the working group?
A: We already have security specifications for particular product types (19790 and 11889), but these are not consistent with the evaluation security standard (15408), as they are designed for conformance test. A PP would be a perfect security specification for a specific product type, but aimed for security evaluation under ISO/IEC 15408.
Q: What is the development process?
A: All of our standards share the same development process. The opportunity to launch a new standard is balloted by the Standardization National Bodies, and if we receive sufficient support, we go for it. The project goes through different stages of maturity and approval, and we can expect a full-blown new standard in two years’ time.
Q: What is the ISO’s relationship with Common Criteria Development Board (CCDB)?
A: We have an ongoing liaison with the CCDB, initially for the coordination regarding their Common Evaluation Criteria and Methodology and our ISO/IEC 15408 and 18045, but it has been expanded to cover other standards and technical reports of mutual interest. The collaboration has been so effective that these standards have been maintained fully aligned since their initial publication, and are effectively the same text. We have been developing other complementing projects, which I’m sure will be useful to the Common Criteria community.
About Miguel Bañón
Miguel Bañón has a Master’s Degree in computer science and began working in the aerospace sector (www.inta.es), as researcher in the area of safety and airworthiness certification. From safety he began to cover security, and moved into the security evaluation and certification field in the mid-1990s, originally as the technical manager of the first security evaluation facility in Spain. After 13 years, he moved to consulting for both private sector and governmental organizations. In 2007, he formed Epoche & Espri (www.epoche.es), the only company in Spain whose sole business is security evaluation and testing. Mr. Bañón was a member of Spain’s national standards committee in the late 1990s, and started his participation in the international WG 3 group in 1999, which he has convened since May 2009.